NIST, ISO, COBIT, ITIL – Which Cyber Framework Rules Them All?

No time to read? Listen to this episode here:

Before we jump into the business of the day, here are the cybersecurity news you might've missed this week:

  • Bank of America spends $1 billion on cybersecurity annually. The Bank of America reportedly spends $1 billion on improving its cybersecurity every year - The CEO, Brian Moynihan made this known in light of the recent wave of attacks crippling private and government agencies. Whether spending a lot means spending well remains to be seen.

  • Volkswagen North America suffers a data breach. Volkswagen is the latest victim in a cyberattack that has impacted more than 3.3 million of the automotive giant's North American customers. It was revealed that the breach involved the harvesting of limited personal details about customers and potential buyers gathered between 2014 and 2019. This information was reportedly left unsecured in an electronic file.

  • FBI recovers more than half of Colonial Pipeline's ransom pay. Through the FBI, the Department of Justice has recovered 63.7 bitcoins (the equivalent of $2.3 million) from the ransomware funds paid by Colonial Pipeline to the hacking group, DarkSide. CEO of Colonial Pipeline, Joseph Blount, extended his gratitude to the FBI for the swift intervention in responding to the attack that crippled the company's operations last month.

And now to the topic of the day.

NIST, ISO, COBIT, ITIL – Which Cyber Framework Rules Them All?

Securing your business’s infrastructure may be one of the best and easily justifiable spending decisions you can make as a business exec. Why? Every 39 seconds, a breach is happening somewhere on the web. In 2021, cyberattacks are not only widespread but take ever more complex forms with each successive year.

Over the last few weeks, we saw how bad actors exploited the vulnerabilities of major corporations like Colonial Pipeline, JBS USA, and key healthcare providers in the country. As the commoditization of personally identifiable information, protected health information, and sensitive financial data continues on the Dark Web, most can tell that cyberattacks aren't going anywhere for the foreseeable future. In fact, with quantum computing technology raising its head, things in the upcoming decade are likely to get a lot wilder.

Still, what set of measures can your business implement to protect critical business assets and staff against an attack? Determining exactly what measures you should deploy to identify, detect, respond, and recover from imminent threats can be daunting.

Luckily, there are four major cyber frameworks (NIST, ISO, COBIT, ITIL) that contain best practices and standards to foster efficient cyber protection. With each of them distinct in its own way, which one is more efficient?

Let's find out.


National Institute of Standards Technology (NIST) Special Publication 800-53 is a federal government-approved guideline that focuses on security protocols. It is in line with the Federal Information Processing Standard (FIP) 200.

Federal agencies in the US commonly use this framework for security compliance and implementations of the information security management system (ISMS) – minus those directly involved with national security.

Admittedly, the standards included in the framework are pretty considerable. However, NIST is more suited for establishments not willing to spend significant time customizing it to tailor specifically to their own industry, as a result making the framework somewhat generic.

Assuming the NIST framework is complementary to your industry, it focuses strongly on information security and may not be comprehensive enough to boost the effectiveness of your overall cybersecurity program across people, processes and technology.

ISO 27001/27002

The International Organization for Standardization (ISO) aims to offer best practices and improvement suggestions for the aforementioned ISMS standard. This framework is heavily IT-focused and allows your IT team to effectively identify and manage lapses in your security infrastructure.

The ISO 27001 and 27002 are widely known and are typically used together to provide a coherent IT infrastructure and security management system. This, however, introduces the same caveat as is the case with NIST - in the real world, cybersecurity is a top-to-bottom holistic concern and cannot be effectively managed by IT efforts alone.


Control Objectives for Information and related Technology (COBIT) in its most recent iteration, which is COBIT 2019, is a solid framework that guides processes in a way that allows business executives to roll out major policies and procedures across strategy, innovation, risk management, asset management, and more.

First released in 1996 and managed by the Information Systems Audit and Control Association (ISACA) to this day, COBIT is constantly updated to include sort-of-current technology and is globally accepted and used by major corporations and small businesses alike.

Unlike highly IT-centric NIST and ISO, however, COBIT defines the components and design factors to build and sustain a best-fit overall governance system. It also plays nicely with other IT and cyber risk management frameworks such as ITIL, CMMI and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization.

COBIT Core Model includes 40 governance and management objectives for establishing a governance program and ultimately helps align business goals with IT goals by establishing links between the two and creating a process that can help bridge a gap between IT - or IT silos - and outside departments. Some critics, however, say that the framework is too high-level.


The Information Technology Infrastructure Library (ITIL) is a set of best practices that establishments initiate to align business goals with IT resources. Developed by the British government's Central Computer and Telecommunications Agency (CCTA) during the 1980s specifically for public sector purposes, the OG ITIL spanned 30 full-size books (nobody said IT risk management has to be exciting).

Its relevance has long surpassed that, becoming generally accepted across private sector organizations. Luckily for your mental health, the framework has been condensed into 5 volumes as of now.

The newest version of ITIL focuses on company culture and integrating IT into the overall business structure, encouraging collaboration between IT and other departments, especially as cross-function collaboration within organizations improves and increasingly relies on technology to get work done. ITIL also emphasizes customer feedback, since it’s easier than ever for businesses to understand their public perception, customer satisfaction and dissatisfaction through smart data and feedback analytics.

So What's The Verdict?

In a sense, COBIT provides the “what” and ITIL shows the “how”. In these frameworks' recent updates in particular, they only continue to complement each other. While ISO and NIST have their uses, for maximum efficiency and a holistic approach across all areas of cybersecurity risk management, our pick would be a carefully orchestrated mix of COBIT 2019 and ITIL 4.

Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

4,044 views0 comments

Recent Posts

See All